All news with #microsoft tag

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.

🔧 Microsoft is launching the Driver Quality Initiative to raise the bar for Windows 11 drivers, emphasizing security, stability, and performance across media, display, camera, audio, connectivity, and peripherals. The initiative centers on four pillars: moving drivers from kernel to user mode or Microsoft class drivers; stricter partner verification and automated checks; improved Windows Update catalog hygiene; and expanded telemetry on stability, performance, battery and thermal impact. Microsoft says it will work closely with OEMs and silicon partners including AMD and Intel, and the changes will be phased in across 2026 as WinHEC resumes. The company frames this as a partnership to restore trust in Windows quality after recent criticism.

📍 Microsoft confirmed that some macOS systems are showing non-dismissible location-permission prompts from Microsoft Teams. The company says a recent macOS security update is not retaining users' location-permission selections, causing the dialog to reappear. Microsoft is working with Apple and exploring a Teams-side mitigation while advising a manual macOS settings workaround. Affected users should toggle location access for Microsoft Teams and Microsoft Teams ModuleHost in System Settings.

🔒 Fox Tempest operated a malware-signing-as-a-service that abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates, allowing signed malware to bypass controls. Microsoft tracked the actor since September 2025 and disrupted the MSaaS in May 2026, revoking over one thousand certificates and targeting the infrastructure. The group used hundreds of Azure tenants, preconfigured VMs on Cloudzy, and charged customers thousands for signing malicious binaries; Microsoft provides detections, IOCs, and mitigations to help defenders respond.

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.

🔍 The BeyondTrust 2026 Microsoft Vulnerabilities Report shows Microsoft disclosed 1,273 vulnerabilities in 2025, while critical flaws doubled from 78 to 157 year‑over‑year. The data highlights a concentration in Elevation of Privilege (40% of CVEs) and a 73% increase in Information Disclosure, signaling attacker focus on stealth and reconnaissance. Cloud and Office-critical bugs spiked, expanding potential blast radii beyond mere data leaks. Authors recommend prioritizing privilege reduction, identity visibility, and contextual remediation over patching alone.

🔧 Microsoft warns that Windows Update may fail on restricted networks after installing the January 2026 optional preview updates, producing error code 0x80010002. Affected devices may download the February security update but then fail to retrieve March or later releases via the Windows Update settings. The issue stems from tightened download timeout requirements and does not affect installation capability. Admins can apply Known Issue Rollback (KIR) group policies and restart devices to work around the problem.

🔐 Microsoft Threat Intelligence details how Storm-2949 converted targeted identity compromise into a broad cloud breach, exfiltrating data from Microsoft 365 and production workloads in Azure. The actor abused SSPR-based social engineering to bypass MFA, performed directory discovery via Graph API, and leveraged management-plane operations to retrieve Key Vault secrets and download large volumes of data. Organizations should adopt behavior-based detections such as Microsoft Defender and tighten RBAC and administrative controls to detect and mitigate similar identity-driven cloud attacks.

⚠️ Some Windows 11 devices fail to complete Microsoft’s May Security Update when the EFI System Partition (ESP) has roughly 10MB or less free, producing the rollback message "Something didn’t go as planned. Undoing changes." Microsoft suggested a registry tweak or rollback while consultants warn this leaves endpoints unpatched and undermines trust in update validation. Experts recommend resizing partitions, testing fixes, and adding ESP checks to endpoint health.

🔒 AI is reshaping work and accelerating threats, with AI-automated phishing reported to be 4.5× more effective than traditional attacks. Growing businesses must balance speed, stability, and risk while often lacking dedicated security teams. Microsoft Security promotes simple, integrated protections for devices, identities, email, and cloud apps. Microsoft 365 Business Premium provides centralized, automated defenses so operations stay resilient and customer trust is preserved.

⚡ Microsoft disclosed an actively exploited XSS spoofing vulnerability in on‑premises Exchange Server (CVE-2026-42897) and issued temporary mitigation via its Exchange Emergency Mitigation Service while a permanent fix is prepared. Supply chain attacks intensified as TeamPCP compromised npm packages and node-ipc to distribute stealers and harvest credentials for cloud pivoting. A fake Hugging Face model delivered a Rust-based stealer, underscoring AI model registries as an emergent supply chain risk, while OpenAI and Microsoft announced new AI-driven vulnerability tools.

🛠️ Microsoft has returned resizable taskbar and Start menu controls to Windows 11 with Insider Preview Build 26300.8493 in the Experimental channel. Users can choose smaller taskbar buttons and move the taskbar to the bottom, top, left, or right via Settings > Personalization > Taskbar > Taskbar behaviors. The update also adds Start menu toggles to hide Recommended content, resize the menu, hide profile details, and improve file relevance. No restart is required.

🔒 At Pwn2Own Berlin (May 14–16), researchers uncovered 47 zero-day vulnerabilities and shared almost $1.3 million in prize money, with Devcore taking $505,000. The enterprise-focused competition targeted AI databases, coding agents, LLM toolchains and NVIDIA products. Notable wins included exploits against VMware ESXi, Microsoft Exchange, SharePoint and a sandbox escape on Microsoft Edge. ZDI will disclose the findings to vendors, who have 90 days to patch.

⚠️ Microsoft confirmed that the May 2026 Windows 11 cumulative update KB5089549 can fail to install and roll back on systems with limited free space on the EFI System Partition (ESP). Installation may proceed to about 35–36% before aborting with 0x800f0922 errors and the rollback message. Logs show SpaceCheck: Insufficient free space and servicing boot file errors. Microsoft advises using Known Issue Rollback or applying a Group Policy in managed environments to mitigate.

🏆 The Pwn2Own Berlin 2026 contest at OffensiveCon (May 14–16) awarded security researchers $1,298,250 for exploiting 47 zero-day vulnerabilities across browsers, enterprise apps, servers, virtualization, containers, LLMs and local privilege escalation. Competitors earned $523,000 on day one, $385,750 on day two, and $389,500 on day three. DEVCORE topped the leaderboard with $505,000 and 50.5 Master of Pwn points; Cheng‑Da Tsai secured the highest single payout of $200,000 for an Exchange RCE chain.

🔒 A security researcher alleges Microsoft quietly changed Azure Backup for AKS behavior after rejecting his March disclosure and blocking a CVE, arguing the issue required pre-existing administrative access. The reported flaw purportedly allowed a user with only the Backup Contributor role to gain cluster-admin privileges via Trusted Access. Microsoft maintains the behavior was expected and that no product changes were made, yet the researcher observed new permission checks and a shift to manual Trusted Access configuration after disclosure. CERT/CC validated the bug but the CVE process stalled, leaving defenders with limited visibility.

⚠️Microsoft has warned of a zero-day cross-site scripting vulnerability in Exchange Outlook Web Access (OWA) that can be triggered by a specially crafted email. The flaw (CVE-2026-42897) is being actively exploited and affects Exchange Server 2016, 2019, and Server Subscription Edition, while Exchange Online is unaffected. Microsoft has published an automatic mitigation via the Exchange EM Service; administrators should enable EM Service or run the Exchange on-premises Mitigation Tool (EOMT) if servers are air-gapped. The interim mitigations can disrupt OWA features such as calendar printing and inline image display, and a formal security update will be released later.

🔒 Microsoft will change Edge so saved passwords are not loaded into process memory in clear text at startup. Security researcher Tom Jøran Sønstebyseter Rønning disclosed on May 4 that Edge decrypted all stored credentials at launch and released a proof-of-concept showing how attackers with Administrator privileges could dump other users' passwords. Microsoft initially described the behavior as "by design" but now says a defense-in-depth change will roll out across Stable, Beta, Dev, Canary and Extended Stable; the fix is live in Canary and will be in build 148 and newer.

🔐 Google Threat Intelligence Group (GTIG) details UNC6671, operating as "BlackFile," which uses large-scale voice phishing (vishing) and adversary-in-the-middle techniques to bypass MFA and compromise SSO access. The group targets Microsoft 365 and Okta, leveraging Python and PowerShell scripts to automate exfiltration and repurpose valid session cookies to "stream" files. GTIG highlights detection indicators such as python-requests User-Agent mismatches, nonstandard IP infrastructure, and subdomain-based credential-harvesting sites to aid defenders.

⚠️ Microsoft has disclosed a high-severity zero-day, CVE-2026-42897, in on-premises Exchange Server that could allow an attacker to execute arbitrary code by sending a specially crafted email to an Outlook user. The flaw is an XSS vulnerability affecting all supported versions of Exchange 2016, 2019 and Subscription Edition, but not Exchange Online. Microsoft recommends enabling the Exchange Emergency Mitigation (EM) Service, which is applied by default, and provides an alternative manual mitigation via the Exchange On-premises Mitigation Tool for air-gapped environments while patches are developed.